An in-range update of openpgp is breaking the build 🚨

[greenkeeper]

The dependency openpgp was updated from 4.5.5 to 4.6.0.

🚨 View failing branch.

This version is covered by your current version range and after updating it in your project the build failed.

openpgp is a direct dependency of this project, and it is very likely causing it to break. If other packages depend on yours, this update is probably also breaking those in turn.

Status Details

• ❌ continuous-integration/travis-ci/push: The Travis CI build failed (Details).

---

Commits

The new version differs by 25 commits.

• c685e34 Release new version
• 8d4440a Merge pull request #895 from twiss/fix-unencrypted-v5-keys
• 8f54c00 Bump link to draft spec in README.md
• a184ef6 Remove support for the previous draft00 AEAD
• 80c535e Separate config option to use V5 keys from AEAD config option
• 9bb1710 Remove unused writeOldHeader function
• 8312399 Update V5 key hashing for signatures to rfc4880bis-07
• c8729a0 Fix serializing GNU stripped-keys
• 735d6d0 Implement V5 signatures
• f629ddc Fix reading and writing unencrypted V5 secret key packets
• dff1a8a Fix test failing due to expired key (#941)
• cbe88a5 Disable HKP tests (#940)
• a0e9c60 DSA: Fix intermittent generation of invalid signatures (#938)
• 3be779e Fix comment describing RSA coefficient u (#937)
• 8585ad8 Merge pull request #935 from twiss/fix-armor-checksum-errors

There are 25 commits in total.

See the full diff

FAQ and help

There is a collection of frequently asked questions. If those don’t help, you can always ask the humans behind Greenkeeper.

---

Your Greenkeeper Bot 🌴

[greenkeeper]

After pinning to 4.5.5 your tests are still failing. The reported issue might not affect your project. These imprecisions are caused by inconsistent test results.

[greenkeeper]

• The dependency openpgp was updated from 4.6.0 to 4.6.1.

Your tests are still failing with this version. Compare changes

Release Notes for v4.6.1

• Use native Node crypto for RSA key generation (#947)
• Throw when trying to encrypt a key that's already encrypted (#950)
• Fix intermittent Brainpool sign/verify bug (#948)
• Style fixes; add spaces around all infix operators, remove use of new Buffer (#954)
• Fix generating signing subkeys (#967)
• Fix decrypting newly generated key object when using the Worker

Commits

The new version differs by 8 commits.

• a14b09c Release new version
• 67e98e8 Merge pull request #967 from twiss/keygen-fixes
• 18474bd Fix decrypting newly generated key object when using the Worker
• a731a60 Fix writing newly generated embedded primary key binding signatures
• 5d9629d Style fixes; add spaces around all infix operators, remove new Buffer (#954)
• b23ee19 Fix intermittent Brainpool sign/verify bug (#948)
• a7cc71e Throw when trying to encrypt a key that's already encrypted (#950)
• d27060e Use native Node crypto for RSA key generation (#947)

See the full diff

[greenkeeper]

• The dependency openpgp was updated from 4.6.1 to 4.6.2.

Your tests are still failing with this version. Compare changes

Release Notes for v4.6.2

• Fix verifying one-pass signatures in the compat build (broken in v4.6.0) (#968)

Commits

The new version differs by 2 commits.

• 2877bac Release new version
• aa8d37a Fix verifying one-pass signatures in the compat build (#968)

See the full diff

[greenkeeper]

• The dependency openpgp was updated from 4.6.2 to 4.7.0.

Your tests are still failing with this version. Compare changes

Release Notes for Lightweight Build & Performance Improvements

Lightweight Build

This release adds a lightweight build that can lazily load indutny/elliptic on demand if needed (#956).

indutny/elliptic is a large dependency of this library that adds support for certain ECC curves. It is not required if you only use RSA (currently the default for keys generated using OpenPGP.js), curve25519, or the NIST curves (with certain exceptions - see the list below). So, when using OpenPGP.js in a web app, a lot of bandwidth can be saved by not including it by default and only loading it when necessary. Currently, the lightweight build is more than 79kB smaller (32kB smaller when comparing gzipped sizes), and we hope to make it even smaller in future releases!

To use the lightweight build, simply use dist/lightweight/openpgp.js instead of dist/openpgp.js, and additionally copy elliptic.min.js from that directory. OpenPGP.js will then automatically load elliptic.min.js when encrypting, decrypting, signing or verifying a message using a (sub)key that uses one of the following curves:

• brainpoolP256r1
• brainpoolP384r1 (Note: this curve is non-standard)
• brainpoolP512r1
• secp256k1 (Note: this curve is non-standard)
• NIST P-521, when using Safari
• NIST P-256, NIST P-384 or NIST P-521, in an environment where Web Crypto and Node crypto are not available (e.g., on a non-HTTPS web page)

curve25519 is always supported, regardless of Web Crypto or Node crypto availability. Even when not using the lightweight build, we recommend only using curve25519 or one of the NIST curves, if possible, as indutny/elliptic's implementation of the other curves is not constant time (#720).

If you don't need support for other curves, you can also set openpgp.config.use_indutny_elliptic = false, and then you don't have to copy elliptic.min.js when using the lightweight build. Note: in environments where Web Crypto and Node crypto are not available (e.g., on a non-HTTPS web page), this may cause things to break, as it makes OpenPGP.js non-compliant with the spec, which requires support for NIST P-256.

There are two other config options to configure how to load indutny/elliptic: indutny_elliptic_path and indutny_elliptic_fetch_options.

Note: if your web app usually does use one of the curves listed above, it's best not to use the lightweight build, as loading both the lightweight build and elliptic.min.js currently actually adds almost 17kB over just using the normal build. We're planning to reduce this gap in future releases.

Backwards-Incompatible Changes

• Rename numBits and bits to rsaBits (#970)

  Keep supporting the old names as well though in openpgp.generateKey and getAlgorithmInfo, but not in openpgp.key.generate (as it is recommended that developers use openpgp.generateKey instead, and it now throws when using numBits instead of rsaBits, so there's no risk of silent key security downgrade).

  The old names are now deprecated, and might be removed in v5.

New features

• Implement Key.prototype.addSubkey (#963)

Performance Improvements

• Optimize encrypting and decrypting keys using iterated S2K (#1002)

• Use Web Crypto & Node crypto for RSA signing and verifying (#999)

  Also, when generating RSA keys using Web Crypto or Node crypto, swap the generated p and q around, so that we don't have to recompute the generated u coefficient.

• Verify NIST signatures using Web Crypto instead of indutny/elliptic when not streaming

• Use tweetnacl.js instead of indutny/elliptic for curve25519 key generation

• Don't initialize indutny's curve25519, improving performance when using that curve

• Use serialized EdDSA public key when signing instead of deriving it

Bugfixes

• Only store newly created signatures as valid in the non-streaming case

• Fix openpgp.revokeKey().publicKey when using the Worker

• Don't return lone \r characters in util.Uint8Array_to_b64

• AEAD: Fix high water mark calculation based on chunk size

• Fix queued bytes calculation for AEAD concurrency

• Fix crypto.random.getRandomBytes when loading OpenPGP.js inside a Worker (#997)

• Fix handling of private keys with leading zeros for certain curves

• Iterated S2K: always hash the full salt+password at least once

• Fix encrypting keys that were previously encrypted using a non-AES algorithm

• Always encrypt keys using AES, even if they were previously encrypted using a non-AES algorithm

• When generating RSA keys in JS, generate them with p < q, as per the spec

  Also, when generating RSA keys using Web Crypto or Node crypto, swap the generated p and q around, so that they will satisfy p < q in most browsers (but not old Microsoft Edge, 50% of the time).

Test Suite Changes

• Switch from Sauce Labs to Browserstack (#965)

• Fix key preferences test when using Worker and use_native=false

• Fix test failing on high-core-count systems due to AEAD concurrency

Refactorings

• Split up key.js (#972)

• Move KeyPair.sign/verify to ecdsa.js

• Move KeyPair.derive to ecdh.js

• Move keyFromPrivate and keyFromPublic to a new indutnyKey.js file

• Switch back to using upstream email-address library (#998)

• Refactor S2K function

Release Script

• Remove browserify caches when releasing, to prevent broken builds

• Don't use sed to edit gitignore in release.sh, as sed -i is not cross-platform

Commits

The new version differs by 28 commits.

• bc16d15 Release new version
• c70d150 Remove browserify caches when releasing
• 01b077e Don't use sed to edit gitignore in release.sh
• 6e7f399 Use Web Crypto & Node crypto for RSA signing and verifying (#999)
• e20d727 Always encrypt keys using AES
• 5bf0f96 Fix encrypting keys using non-AES algorithms
• afdacfa Merge pull request #1002 from openpgpjs/iterated-s2k-perf
• b091466 Iterated S2K: always hash the full salt+password at least once
• 6ddfca5 Refactor S2K function
• cd2bfca Optimize iterated S2K
• a6d7c46 Use serialized EdDSA public key when signing instead of deriving it
• fd9371a Mask curve25519 keys during generation (before serializing them)
• 563b397 Don't mask curve25519 private key twice
• a06bf91 Fix queued bytes calculation for AEAD concurrency
• 08b7725 Create lightweight build that can lazily load indutny/elliptic if needed (#956)

There are 28 commits in total.

See the full diff

[greenkeeper]

• The dependency openpgp was updated from 4.7.0 to 4.7.1.

Your tests are still failing with this version. Compare changes

Commits

The new version differs by 5 commits.

• 5a62c4f Release new version
• 5a24bc7 Fix verifying RSA signatures with leading zero in Web Crypto
• ad0fdcc Fix openpgp.config.use_native = false for RSA sign/verify
• 45c2e67 Use native Node crypto for RSA encryption (#1006)
• 495fe10 Apply eslint to test/crypto folder (#1003)

See the full diff

[greenkeeper]

• The dependency openpgp was updated from 4.7.1 to 4.7.2.

Your tests are still failing with this version. Compare changes

Release Notes for v4.7.2

• Only throw on authorized revocation key when verifying self-signatures (#1017)
• Explicitly include 'uncompressed' in preferred compression algos (#1020)

Commits

The new version differs by 3 commits.

• ba944c8 Release new version
• 3d75efc Only throw on authorized revocation key when verifying self-signatures (#1017)
• e1b9156 Explicitly include 'uncompressed' in preferred compression algos (#1020)

See the full diff

[greenkeeper]

• The dependency openpgp was updated from 4.8.0 to 4.8.1.

Your tests are still failing with this version. Compare changes

Commits

The new version differs by 20 commits.

• 09e8187 Release new version
• 786d909 Fix worker tests in compat browsers
• e8ee70b Fix UnhandledPromiseRejectionWarnings in Node.js
• 382c05d Remove accidental .only in test suite
• 9bdeaa9 Don't keep entire decrypted message in memory while streaming
• 6e13604 Replace 'window' with 'global'
• 81d6b45 Test loading OpenPGP.js from a Worker in the application
• 66acd97 Clear worker key caches in openpgp.destroyWorker()
• fb666f0 Implement openpgp.getWorker().clearKeyCache()
• 5234323 Implement Key.prototype.clearPrivateParams
• 26d107b Zero out private key parameters in clearPrivateParams
• 889e0c4 Allow calling clearPrivateParams on decrypted keys
• 6ae6012 Terminate workers in openpgp.destroyWorker()
• 94a04ea Switch code coverage reporter to nyc (#1005)
• 1462aff Release new version

There are 20 commits in total.

See the full diff

[greenkeeper]

• The dependency openpgp was updated from 4.8.1 to 4.9.0.

Your tests are still failing with this version. Compare changes

Commits

The new version differs by 9 commits.

• 93c5bed Release new version
• dc9660f Add tests with old and new Blowfish encrypted messages
• 84a1287 Fix Blowfish block size
• 801b44f Don't use Node symmetric crypto when !config.use_native
• fc0052e Implement streaming non-AES encryption and decryption
• 2ec8831 Use native Node crypto for non-AES encryption and decryption
• e14a3c7 Add instructions to pipe unarmored encrypted data on Node.js
• b49e787 Update setup instructions
• 7000d9d Clean up README.md

See the full diff

[greenkeeper]

• The dependency openpgp was updated from 4.9.0 to 4.9.1.

Your tests are still failing with this version. Compare changes

Commits

The new version differs by 4 commits.

• 3af8e32 Release new version
• 92eda27 Binary signature on text message: sign and verify text as UTF-8
• de6ab1d Add inline sourceMap in minified files in grunt build --dev
• 21c7d69 Fix typo in symmetric encryption example in README.md (#1042)

See the full diff

[greenkeeper]

• The dependency openpgp was updated from 4.9.1 to 4.10.0.

Your tests are still failing with this version. Compare changes

Release Notes for v4.10.0

• All signatures using MD5 or RIPEMD are now rejected by default (#1043)
  Set openpgp.config.reject_hash_algorithms.add(openpgp.enums.hash.sha1); to add SHA1 to this list, for extra security. This may break compatiblity with encrypting to old public keys, which may still use SHA1 for their self-signatures. We may add SHA1 to this list by default in the future.
• Message signatures using MD5, RIPEMD or SHA1 are now rejected by default
  Set openpgp.config.reject_message_hash_algorithms.delete(openpgp.enums.hash.sha1); to remove SHA1 from this list, in order to maintain increased compatibility with very old signatures.
• await signatures[*].verified after const { signatures } = await openpgp.decrypt/verify() now throws rather than returning false for all signature verification failures (it already threw for some errors)
• (When not streaming) signatures[*].valid is now false for all signature verification failures (it used to be null for some errors; now it's only null if the signing public key was unavailable or invalid)
• Key.prototype.validate now throws if the private key parameters don't match the public key parameters
• Key.prototype.verifyPrimaryKey now throws if the primary key is invalid
• Key.prototype.getPrimaryUser now throws if there is no valid primary user
• Key.prototype.getSigningKey and Key.prototype.getEncryptionKey now throw if there is no valid signing/encryption key
• Key.prototype.getRevocationCertificate now throws if there is no valid revocation certificate
• SubKey.prototype.verify now throws if the subkey is invalid
• User.prototype.verify now throws if there are no valid self certificates
• User.prototype.verifyCertificate now throws if the user certificate is invalid
• Optimize reading and writing armored messages (#1043)
• Fix error message for legacy encrypted private keys

Commits

The new version differs by 7 commits.

• f6507c3 Release new version
• 2131fb0 Fix error message for legacy encrypted private keys
• c6ed05d Optimize crc24 calculation
• 2ff4fbb Optimize base64 encoding and decoding
• 15202d9 Don't use polyfilled Set in compat build
• 4bd22eb Unit tests: eval config query parameters instead of parsing as JSON
• 8c3bcd1 Reject signatures using insecure hash algorithms

See the full diff

[greenkeeper]

• The dependency openpgp was updated from 4.10.0 to 4.10.1.

Your tests are still failing with this version. Compare changes

Release Notes for v4.10.1

• Fix generating keys with a date in the future
  This was broken in 4.10.0. (Before then, the revocation certificate was already broken when generating a key with a date in the future.)
• Remove no-op revocationCertificate option from reformatKey

Commits

The new version differs by 3 commits.

• b6a6f52 Release new version
• e986c47 Remove no-op revocationCertificate option from reformatKey
• 60822d8 Fix generating keys with a date in the future

See the full diff